gh0strat | 794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69

Sharing

Copy URL

Twitter E-mail

General

Target

794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
Size

1.2MB
MD5

791a88d0cafa95f8fa4a548f242f032a
SHA1

ea872c3ecd14e55ec4b013278aed286b0da9e1ed
SHA256

794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
SHA512

ef6357e33a2c0962b66485d03f51bcab1456eb3985113c074ad5524dab98e8cdd82fba0f281ca3b7f3f2d71f274cd65b797c0c66f4c33bdae8b60b4a8293355c
SSDEEP

24576:wTuZCN0qRwoDFGMmtci8l8cq1PXv0uM5GrkQPXHMtR1tD1bqtT6RqK0Xcda:PgZrLsT6a

Score

10^/10

rootkit gh0strat purplefox

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs
Detect PurpleFox Rootkit.
rootkit

Processes:

resource yara_rule

sample purplefox_rootkit
Gh0st RAT payload 1 IoCs

Processes:

resource yara_rule

sample family_gh0strat
Gh0strat family
gh0strat
Purplefox family
purplefox

resource	yara_rule
sample	purplefox_rootkit

resource	yara_rule
sample	family_gh0strat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69

Files

794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
.dll windows:4 windows x86 arch:x86

6718574bfa82ab04bcaf82fa9136fc6c

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

Process32First
GetSystemDirectoryA
TerminateProcess
OpenProcess
ExitProcess
GetVersion
DeviceIoControl
Beep
GetVersionExA
GetModuleFileNameA
WinExec
TerminateThread
GetTickCount
GetCommandLineA
FreeConsole
GetCurrentProcessId
GetConsoleProcessList
AttachConsole
GetWindowsDirectoryA
WideCharToMultiByte
MultiByteToWideChar
GlobalSize
QueryPerformanceFrequency
QueryPerformanceCounter
LoadLibraryW
GlobalMemoryStatusEx
GetDriveTypeA
ReleaseMutex
CreateMutexA
GetCurrentThread
GetEnvironmentVariableA
GetCurrentThreadId
CreatePipe
CopyFileA
lstrcpyW
Module32Next
lstrcmpiA
Module32First
CreateRemoteThread
GetProcessId
ResumeThread
OpenThread
Thread32Next
Thread32First
SuspendThread
Process32Next
GlobalMemoryStatus
GetComputerNameA
GetPrivateProfileStringA
SystemTimeToTzSpecificLocalTime
lstrcpynA
lstrcmpA
lstrcatA
CreateProcessA
GetProcAddress
lstrcpyA
CreateDirectoryA
GetLastError
DeleteFileA
GetCurrentProcess
IsWow64Process
SetFilePointer
WriteFile
CreateFileA
GetFileSize
ReadFile
lstrlenA
FreeLibrary
IsBadReadPtr
VirtualProtect
HeapReAlloc
HeapAlloc
GetProcessHeap
HeapFree
CancelIo
SetEvent
ResetEvent
CreateEventA
LocalAlloc
LocalReAlloc
LocalSize
LocalFree
Sleep
GetFileAttributesA
GetModuleHandleA
GetLocalTime
GlobalAlloc
GlobalLock
GlobalFree
GlobalUnlock
CreateThread
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
InitializeCriticalSection
InterlockedExchange
CreateToolhelp32Snapshot
GetFileAttributesExA
FileTimeToSystemTime
MoveFileA
SetFileAttributesA
RemoveDirectoryA
FindFirstFileA
FindNextFileA
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetPriorityClass
GetDiskFreeSpaceExA
WaitForSingleObject
CloseHandle
LoadLibraryA
GetSystemInfo

user32

SetRect
GetCursorPos
GetCursorInfo
PostMessageA
SetCursorPos
WindowFromPoint
SetCapture
MapVirtualKeyA
SystemParametersInfoA
ReleaseDC
BlockInput
DestroyCursor
LoadCursorA
GetDC
GetSystemMetrics
ChangeDisplaySettingsA
FindWindowA
ShowWindow
MoveWindow
GetWindowRect
SwapMouseButton
ExitWindowsEx
EnumWindows
GetKeyState
GetAsyncKeyState
GetForegroundWindow
GetWindowTextA
CharNextA
GetDesktopWindow
wsprintfA
EmptyClipboard
SetClipboardData
OpenClipboard
GetClipboardData
CloseClipboard
GetWindowLongA
PostQuitMessage
SetWindowLongA
LoadIconA
SetClassLongA
DestroyWindow
SetFocus
GetWindowTextLengthA
SetWindowTextA
SetDlgItemTextA
CreateDialogIndirectParamA
GetDlgItem
SetWindowPos
OpenInputDesktop
GetDlgItemTextA
CloseDesktop
GetThreadDesktop
GetUserObjectInformationA
SetThreadDesktop
GetWindowThreadProcessId
WaitForInputIdle
GetClassNameA
GetWindow
GetLastInputInfo
IsIconic
MessageBoxA
IsWindowVisible
GetMessageA
IsDialogMessageA
TranslateMessage
SendMessageA
DispatchMessageA

gdi32

GetDeviceCaps
CreateDIBSection
CreateCompatibleDC
DeleteObject
DeleteDC
BitBlt
GetRegionData
CombineRgn
CreateRectRgnIndirect
GetDIBits
CreateCompatibleBitmap
SelectObject

advapi32

RegOpenKeyA
GetTokenInformation
LookupAccountSidA
AbortSystemShutdownA
RegCloseKey
RegOpenKeyExA
GetUserNameA
CloseEventLog
ClearEventLogA
OpenEventLogA
RegSetValueExA
RegCreateKeyA
StartServiceA
CloseServiceHandle
OpenServiceA
OpenSCManagerA
SetServiceStatus
DeleteService
FreeSid
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AllocateAndInitializeSid
RegEnumValueA
RegEnumKeyExA
RegQueryValueExA
RegDeleteValueA
RegDeleteKeyA
RegQueryInfoKeyA
RegCreateKeyExA
UnlockServiceDatabase
ChangeServiceConfigA
LockServiceDatabase
ControlService
QueryServiceStatus
QueryServiceConfig2A
QueryServiceConfigA
EnumServicesStatusA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
CheckTokenMembership

shell32

ShellExecuteExA
SHGetFolderPathA
SHGetSpecialFolderPathA
SHGetFileInfoA
ShellExecuteA

ole32

CoUninitialize
CoCreateInstance
CoInitialize

oleaut32

SysFreeString

mfc42

ord825
ord823
ord801
ord540
ord541
ord800
ord3811
ord860
ord2614
ord668
ord6883
ord941
ord3181
ord3304
ord3010
ord3310
ord3324
ord4215
ord1980
ord3178
ord4058
ord2781
ord2770
ord922
ord537
ord858
ord356
ord1979
ord2764
ord6874
ord5572
ord5442
ord2915
ord4204
ord665
ord5186
ord354
ord6143
ord2818
ord4202
ord924
ord926
ord3663
ord6876
ord939
ord536
ord535
ord5710
ord6282
ord2763
ord4278
ord6662
ord4129
ord2784
ord6283
ord940
ord5440
ord6383
ord6394
ord2919
ord5450

msvcrt

_adjust_fdiv
_initterm
_onexit
__dllonexit
??1type_info@@UAE@XZ
_snprintf
swprintf
_splitpath
strncpy
atol
strncat
realloc
fgets
srand
time
isdigit
_iob
_access
wcstombs
mbstowcs
_errno
_wcsupr
_strcmpi
_itoa
_strnicmp
fprintf
sscanf
getenv
vsprintf
exit
__CxxFrameHandler
memmove
ceil
_ftol
strstr
wcslen
wcscpy
sprintf
printf
fclose
fopen
remove
atoi
free
malloc
strncmp
_CIpow
floor
strchr
tolower
_CxxThrowException
_stricmp
_except_handler3
strrchr
_strlwr
wcsstr
rand
system

msvcp60

??0_Lockit@std@@QAE@XZ
??1_Lockit@std@@QAE@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?_Xlen@std@@YAXXZ
?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ

winmm

mciSendStringA
waveInGetNumDevs

ws2_32

gethostname
inet_addr
getsockname
bind
getpeername
accept
listen
sendto
recvfrom
ntohs
inet_ntoa
send
closesocket
recv
select
gethostbyname
connect
setsockopt
WSAIoctl
WSACleanup
WSAStartup
__WSAFDIsSet
ioctlsocket
socket
htons

iphlpapi

GetIfTable

dwmapi

DwmIsCompositionEnabled
ord102

shlwapi

PathFindFileNameA
PathUnquoteSpacesA
PathRemoveArgsA
PathGetArgsA
SHDeleteKeyA

wininet

InternetGetConnectedState
InternetReadFile
HttpSendRequestA
InternetOpenUrlA
HttpOpenRequestA
InternetOpenA
InternetConnectA
InternetCloseHandle
HttpQueryInfoA

netapi32

NetUserSetInfo
NetUserAdd
NetUserGetLocalGroups
NetApiBufferFree
NetUserGetInfo
NetUserEnum
NetLocalGroupAddMembers
NetUserDel

psapi

GetProcessMemoryInfo
GetModuleFileNameExA

wtsapi32

WTSEnumerateSessionsA
WTSDisconnectSession
WTSLogoffSession
WTSQuerySessionInformationA
WTSFreeMemory
WTSQuerySessionInformationW

Exports

Exports

Shellex

Sections

.text
Size: 608KB - Virtual size: 607KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rodata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rotext
Size: 108KB - Virtual size: 107KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 268KB - Virtual size: 265KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 200KB - Virtual size: 634KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6718574bfa82ab04bcaf82fa9136fc6c

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

mfc42

msvcrt

msvcp60

winmm

ws2_32

iphlpapi

dwmapi

shlwapi

wininet

netapi32

psapi

wtsapi32

Exports

Exports

Sections

.text Size: 608KB - Virtual size: 607KB

.rodata Size: 12KB - Virtual size: 11KB

.rotext Size: 108KB - Virtual size: 107KB

.rdata Size: 268KB - Virtual size: 265KB

.data Size: 200KB - Virtual size: 634KB

.rsrc Size: 4KB - Virtual size: 16B

.reloc Size: 36KB - Virtual size: 32KB

.text
Size: 608KB - Virtual size: 607KB

.rodata
Size: 12KB - Virtual size: 11KB

.rotext
Size: 108KB - Virtual size: 107KB

.rdata
Size: 268KB - Virtual size: 265KB

.data
Size: 200KB - Virtual size: 634KB

.rsrc
Size: 4KB - Virtual size: 16B

.reloc
Size: 36KB - Virtual size: 32KB